Coverage Report

Created: 2020-11-21 08:34

/src/botan/src/lib/tls/tls_callbacks.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* TLS Callbacks
3
* (C) 2016 Jack Lloyd
4
*     2017 Harry Reimann, Rohde & Schwarz Cybersecurity
5
*
6
* Botan is released under the Simplified BSD License (see license.txt)
7
*/
8
9
#include <botan/tls_callbacks.h>
10
#include <botan/tls_policy.h>
11
#include <botan/tls_algos.h>
12
#include <botan/x509path.h>
13
#include <botan/ocsp.h>
14
#include <botan/dh.h>
15
#include <botan/ecdh.h>
16
#include <botan/tls_exceptn.h>
17
#include <botan/internal/ct_utils.h>
18
19
#if defined(BOTAN_HAS_CURVE_25519)
20
  #include <botan/curve25519.h>
21
#endif
22
23
namespace Botan {
24
25
void TLS::Callbacks::tls_inspect_handshake_msg(const Handshake_Message&)
26
142k
   {
27
   // default is no op
28
142k
   }
29
30
std::string TLS::Callbacks::tls_server_choose_app_protocol(const std::vector<std::string>&)
31
0
   {
32
0
   return "";
33
0
   }
34
35
std::string TLS::Callbacks::tls_peer_network_identity()
36
6.67k
   {
37
6.67k
   return "";
38
6.67k
   }
39
40
void TLS::Callbacks::tls_modify_extensions(Extensions&, Connection_Side)
41
31.6k
   {
42
31.6k
   }
43
44
void TLS::Callbacks::tls_examine_extensions(const Extensions&, Connection_Side)
45
30.5k
   {
46
30.5k
   }
47
48
std::string TLS::Callbacks::tls_decode_group_param(Group_Params group_param)
49
24.9k
   {
50
24.9k
   return group_param_to_string(group_param);
51
24.9k
   }
52
53
void TLS::Callbacks::tls_verify_cert_chain(
54
   const std::vector<X509_Certificate>& cert_chain,
55
   const std::vector<std::shared_ptr<const OCSP::Response>>& ocsp_responses,
56
   const std::vector<Certificate_Store*>& trusted_roots,
57
   Usage_Type usage,
58
   const std::string& hostname,
59
   const TLS::Policy& policy)
60
526
   {
61
526
   if(cert_chain.empty())
62
0
      throw Invalid_Argument("Certificate chain was empty");
63
64
526
   Path_Validation_Restrictions restrictions(policy.require_cert_revocation_info(),
65
526
                                             policy.minimum_signature_strength());
66
67
526
   Path_Validation_Result result =
68
526
      x509_path_validate(cert_chain,
69
526
                         restrictions,
70
526
                         trusted_roots,
71
526
                         (usage == Usage_Type::TLS_SERVER_AUTH ? hostname : ""),
72
526
                         usage,
73
526
                         std::chrono::system_clock::now(),
74
526
                         tls_verify_cert_chain_ocsp_timeout(),
75
526
                         ocsp_responses);
76
77
526
   if(!result.successful_validation())
78
526
      {
79
526
      throw TLS_Exception(Alert::BAD_CERTIFICATE,
80
526
                          "Certificate validation failure: " + result.result_string());
81
526
      }
82
526
   }
83
84
std::vector<uint8_t> TLS::Callbacks::tls_sign_message(
85
   const Private_Key& key,
86
   RandomNumberGenerator& rng,
87
   const std::string& emsa,
88
   Signature_Format format,
89
   const std::vector<uint8_t>& msg)
90
0
   {
91
0
   PK_Signer signer(key, rng, emsa, format);
92
93
0
   return signer.sign_message(msg, rng);
94
0
   }
95
96
bool TLS::Callbacks::tls_verify_message(
97
   const Public_Key& key,
98
   const std::string& emsa,
99
   Signature_Format format,
100
   const std::vector<uint8_t>& msg,
101
   const std::vector<uint8_t>& sig)
102
197
   {
103
197
   PK_Verifier verifier(key, emsa, format);
104
105
197
   return verifier.verify_message(msg, sig);
106
197
   }
107
108
std::pair<secure_vector<uint8_t>, std::vector<uint8_t>> TLS::Callbacks::tls_dh_agree(
109
   const std::vector<uint8_t>& modulus,
110
   const std::vector<uint8_t>& generator,
111
   const std::vector<uint8_t>& peer_public_value,
112
   const Policy& policy,
113
   RandomNumberGenerator& rng)
114
219
   {
115
219
   BigInt p = BigInt::decode(modulus);
116
219
   BigInt g = BigInt::decode(generator);
117
219
   BigInt Y = BigInt::decode(peer_public_value);
118
119
   /*
120
    * A basic check for key validity. As we do not know q here we
121
    * cannot check that Y is in the right subgroup. However since
122
    * our key is ephemeral there does not seem to be any
123
    * advantage to bogus keys anyway.
124
    */
125
219
   if(Y <= 1 || Y >= p - 1)
126
2
      throw TLS_Exception(Alert::ILLEGAL_PARAMETER,
127
2
                          "Server sent bad DH key for DHE exchange");
128
129
217
   DL_Group group(p, g);
130
131
217
   if(!group.verify_group(rng, false))
132
108
      throw TLS_Exception(Alert::INSUFFICIENT_SECURITY,
133
108
                          "DH group validation failed");
134
135
109
   DH_PublicKey peer_key(group, Y);
136
137
109
   policy.check_peer_key_acceptable(peer_key);
138
139
109
   DH_PrivateKey priv_key(rng, group);
140
109
   PK_Key_Agreement ka(priv_key, rng, "Raw");
141
109
   secure_vector<uint8_t> dh_secret = CT::strip_leading_zeros(
142
109
      ka.derive_key(0, peer_key.public_value()).bits_of());
143
144
109
   return std::make_pair(dh_secret, priv_key.public_value());
145
109
   }
146
147
std::pair<secure_vector<uint8_t>, std::vector<uint8_t>> TLS::Callbacks::tls_ecdh_agree(
148
   const std::string& curve_name,
149
   const std::vector<uint8_t>& peer_public_value,
150
   const Policy& policy,
151
   RandomNumberGenerator& rng,
152
   bool compressed)
153
666
   {
154
666
   secure_vector<uint8_t> ecdh_secret;
155
666
   std::vector<uint8_t> our_public_value;
156
157
666
   if(curve_name == "x25519")
158
12
      {
159
12
#if defined(BOTAN_HAS_CURVE_25519)
160
12
      if(peer_public_value.size() != 32)
161
1
         {
162
1
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE, "Invalid X25519 key size");
163
1
         }
164
165
11
      Curve25519_PublicKey peer_key(peer_public_value);
166
11
      policy.check_peer_key_acceptable(peer_key);
167
11
      Curve25519_PrivateKey priv_key(rng);
168
11
      PK_Key_Agreement ka(priv_key, rng, "Raw");
169
11
      ecdh_secret = ka.derive_key(0, peer_key.public_value()).bits_of();
170
171
      // X25519 is always compressed but sent as "uncompressed" in TLS
172
11
      our_public_value = priv_key.public_value();
173
#else
174
      throw Internal_Error("Negotiated X25519 somehow, but it is disabled");
175
#endif
176
11
      }
177
654
   else
178
654
      {
179
654
      EC_Group group(OID::from_string(curve_name));
180
654
      ECDH_PublicKey peer_key(group, group.OS2ECP(peer_public_value));
181
654
      policy.check_peer_key_acceptable(peer_key);
182
654
      ECDH_PrivateKey priv_key(rng, group);
183
654
      PK_Key_Agreement ka(priv_key, rng, "Raw");
184
654
      ecdh_secret = ka.derive_key(0, peer_key.public_value()).bits_of();
185
650
      our_public_value = priv_key.public_value(compressed ? PointGFp::COMPRESSED : PointGFp::UNCOMPRESSED);
186
654
      }
187
188
665
   return std::make_pair(ecdh_secret, our_public_value);
189
666
   }
190
191
}